Preferred password manager app? And how to use 2FA TOTP

Glennmatthew83

What's your Preferred password manager app (storing passwords, passkeys, FIDO2, TOTP)?

From Bitwarden to 1password to proton to databases like Keypass?
Please let me me know which one, if any and reason why?
Also, how you prefer to secure specifically Amazon.com, AWS, Github, Microsoft, Google (if you use for Sandboxed GPS) LOL😂
And if you use Seperate Users for different sites specifically like github?

Wadder

Glennmatthew83 I use and recommend KeepassXC and the recommended Android app KeepassDX for all my passwords. Keepass is probably the most reliable offline password manager and has great customization option for people who like to go a bit deeper into the security configurations. Keep in mind that you need to manually sync your password database between applications, this can be automated too.

For my 2FA I use Aegis this is only available for Android (last I check).

See the links to the software to see for yourself.

https://keepassxc.org/

https://www.keepassdx.com/

https://getaegis.app/

I should add, I have used and do have a backup of all my passwords on protonpass too as I'm paid subscriber to their services, although it is only for backup in the event my keepass database ever became corrupted

starglider

Personally, I use Vaultwarden (https://github.com/dani-garcia/vaultwarden). After the Lastpass catastrophe, I decided I wanted to have total control over literally the most important database in my life, and Bitwarden/Vaultwarden's Emergency Access feature really appealed to me (both my wife and I can access the other's accounts if something happens to one of us without having to write down passwords and be sure they're always up-to-date).

However, I actually think this isn't the right solution for most people. I'm pretty nerdy, I like projects, and I already had a lot of the preexisting infrastructure (home servers, a VPN back to my network, familiarity with containers, and most importantly a good backup solution). Backups are probably the single most dangerous part of self-hosting something like a password manager. A server + backup failure is probably more likely than even a lousy service getting attacked, and it can completely ruin you.

But, if you're comfortable with it, the Vaultwarden experience is great. It's fast, extremely low-resource, and you get all of the benefits of the top-tier Bitwarden system. You use the mainline smartphone apps and browser extensions, which all work fine.

Mikeg

starglider Exactly the same for me as well.

monozygote

starglider I have avoided vaultwarden due to

server client nature of it
offline edits not allowed by bitwarden-client / bit-or-vaultwarden server

I don't have an always on machine which is always reachable.... except my phone lol. So I'm wondering with the fancy Android Terminal app bundled with GOS if it is possible to host vaultwarden server there. That way all others can reach it when on my house LAN and when outside I'm OK with only updating/editing on phone assuming clients can reach server over localhost without needing to reach out to the internet.

For this I mainly use keepassxc and keepass2android (not keepassdx because last I checked it lacks opening of multiple databases and makes master-local sync impossible). And then ofc Syncthing the master copy over the house LAN.

Nothing reaches the Net because if you ever accidentally reveal your master key (eg typed in public/under cctv/on company machines with mdm etc) then you'll have to change all your stored passwords (bigggg PITA). If db was always offline then you just change your master password.

Psyonico

Just FYI: proton has TOTP functionality built in to it, so you don't need a separate Authenticator app and if you lose your phone, you don't lose your authenticators

Probably9857

Psyonico proton has TOTP functionality built in to it, so you don't need a separate Authenticator app and if you lose your phone, you don't lose your authenticators

Also convenient if an attacker gains access to either your phone or Proton account. Then they have both passwords and TOTP tokens for all your accounts.

mmobder

Wadder I thought KeePass declared support for otp codes, but you use aegis for that. what's the reason?

otterfoghornrainfall

I second the use of Keepass, which i sync across my devices using SyncThing.

Aeon

I can recommend

Keepass and Bitwarden as Password managers.
Aegis Auth and Ente Auth for 2fa Auth apps

I used to use Keepass as pw manager and currently use Bitwarden.
I am currently using both Aegis and Ente Auth.

Novalissoide

Aeon both Aegis and Ente Auth

Why both of these?

chinook

mmobder it does. You just shouldn't keep all your eggs in the same basket.

Especially with Keepass (with static password which opens entire file) - if a malware steals your file and then password to Keepass, you're toast, more so if all your OTP is there.

Wadder

mmobder compartmentation.

I don't want to keep my 2FA in the same application as my passwords. As in (hopefully unlikely) event someone/thing was gain access into Keepass file they'd be mostly be able to then go break into all my accounts.

I believe this is common practice and recommended by most 'professional' security 'experts'.

ZoraIsHere

Bitwarden for password and Ente Auth for 2FA

othemad

Bitwarden for both password and 2FA

Aeon

Novalissoide

Aegis is my primary 2fa App and I am trying out Ente Auth to have first hand experience when recommending others 2fa Aps :-)

some people want cloud sync while other do not. Ente Auth uses e2ee cloud sync

Mikeg

monozygote Server/client nature is used by most solutions that support multiple types of clients. Offline edits are cached by each client and will work on that client. If the server is offline that client will not sync the change until the server comes back online. Therefore other clients will not get the change until that happens and they sync with the server after it gets updated.

starglider

monozygote I don't have an always on machine which is always reachable.... except my phone

Yeah in this case, self-hosting is not a good idea. Its very difficult to have reliable synchronization without an always-on back end. In this case, paying Bitwarden a dozen bucks a year to run a server for you makes total sense.

mmobder

chinook if a malware steals your file and then password to Keepass

Strange, I thought kpdx allows more robust file protection measures than just password.

So you're not dependent on a single measure.

mercury

mmobder
You are correct, my several vaults are protected with yubikeys, nitrokeys etc... as well as the password.

chinook

mmobder kdbx itself is just a file and doesn't offer any special countermeasures. It's a static file.

Concerning opening the file it the only portable (between systems) ways I see are password+static file. I don't think the actual U2F works, just a static key as a master password .

OTP from the yubikey /similar can be used as well, but I don't think it can be used as 2fa? Does any of these providers work on Linux (keepassxc?) or android?

HMAC challenge/response could be used, but it can't, because Keepass 2 and KeePassXC use different implementations.

Keepass2Android also seems different and to make things worse it enforces synchronising the database, or OTP will stop working. Worst of both worlds.

If not then the password manager than can only be used on one platform isn't so convenient or useful.

So yeah, static password + static key file OR static password on yubikey . Other options not so much, unless all three manuals are wrong.

spl4tt

I literelly just pay bitwarden those 10 bucks a year. It's not a lot and afaik, everything is encrypted anyway, so I'm fine with hosting it with them.

Novalissoide

Aeon Understood. Thank you. 👍🏾